Re: Access Control for Cross-site Requests WD Published

>
> There's a new proposal for this:
>
>   http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html
>
> I think it addresses your concerns.

This looks good. It does seem to imply that other request headers may be 
considered for inclusion in the whitelist. Therefore, I would like to 
suggest the following additional headers be permitted in the standard 
whitelist of request headers:
Expect - A basic HTTP header that can be useful for checking request before 
sending a full request
>From - This can be voluntarily provided by user agents to identify who the 
user is
Range - To request a partial subset of a resource (with Atom Publishing 
Protocol this is becoming increasingly useful)
XSite-* - I believe we should have a subdomain of allowed custom headers, 
that both server and client will be mutually aware will not be filtered in 
cross site requests.
I don't believe any of these headers represents a security threat.


> No such optimization has been discussion and I'm not sure we should add 
> it. If this indeed becomes a common pattern we can always optimize later. 
> (Premature optimization and all...)

That sounds reasonable.
BTW, I am very excited about this specification, this is really going to 
open up some exciting possibilities. Good work,
Thanks,
Kris 

Received on Monday, 25 February 2008 23:37:58 UTC